As Google is the most popular provider of analytics software, I’m going to focus this article around Google Analytics, as it is used by the vast majority of the companies I work with.
Let’s start with Google. They take safeguarding your data very seriously, using multi-layered security to ensure that it remains safe (on their side that is), but what about the individuals and companies using it?
Well, from my experience working for various marketing agencies, most clients/companies aren’t giving their analytics data the respect it deserves when it comes to security. Talk to anyone with a background in running successful businesses, and they will more than likely tell you that intellectual property is one of the most important things when it comes to business.
For example what would happen if your competitors had access to your Google Analytics account? I’m betting that most company’s directors wouldn’t be too happy to learn that their company’s analytics data wasn’t as secure as they thought! Now, there are obviously countless ways of getting access to that data, but my main focus is on making it more secure.
But what can you do to secure your analytics data?
1. Ensure that you own your own Google Analytics property
One huge problem for companies who have used agencies, platform providers and freelancers to setup Google Analytics, is that they set it up using their own account when they made a property for a website. They then granted access at property level, rather than creating another account. I’d prefer to think that these service providers weren’t aware that what they were doing was incorrect, rather than the other more cynical reasons I’ve heard in the past; e.g. making it a ‘hook’ for you to stay with them forever.
Now, I’m a big fan of open-source, and people retaining ownership of their own data. If you are in this horrible predicament and want to own your Google Analytics data you still after many years of people requesting this feature, have to create a new Google Analytics account with a new property; deleting the original property if you don’t want the current account owner having access to it.
This unfortunately means losing all the historic data collected over the years, which isn’t ideal to say the least!
Hopefully Google will address this issue at some point in the future, but I suspect it might be a security feature so it might never happen.
If you are interested in reading more about structuring here is a very helpful guide about the hierarchy of Google Analytics accounts, users, properties and views in Google Analytics, along with examples of how to structure an account; this is specifically important if you manage Analytics for multiple websites belonging to multiple clients.
2. Don’t give access out ‘willy-nilly’ to 3rd parties
This is probably obvious for most people, but worth highlighting none the less. Do you really need to give someone access to your Google Analytics account?
The number of Google Analytics accounts I’ve logged into over the years which have dozens of users who either no longer work with the company or, even worse, no one knows who the email address belongs to, is mind blowing.
If you need to give access via a different email address make sure at the very least you keep a ledger of who it is, and why they have access. If you use an intranet within your organisation I find this very useful and I personally use SharePoint for this.
3. Keep login details safe and don’t use simple passwords
Do you know what the password is for your analytics account? Or for that matter are you confident that all the profiles which have access to your analytics data are kept secure?
Still the number of people who use easy to guess passwords is crazy, and we’re not even talking about security vulnerabilities such as Heartbleed.
Many agencies looking after a portfolio of clients choose to consolidate the access to all of their client’s analytics accounts in one ‘holding account’. Whilst there is nothing drastically wrong with this in theory, it does mean that it is common for a password which everyone in the agency can remember to be used, rather than one which is most secure. All passwords should at the very minimum be generated using a range of symbols, numbers, and upper and lower case characters which unless you’re Derren Brown you shouldn’t be able to remember. Storing the passwords in a more secure environment such as Lastpass would ensure that your passwords remain safe, whilst at the same time being still easy to find and use.
4. 2-Step verification – now’s the time to start using it!
At SALT.agency we take security seriously, and although we’re a relatively new SEO company in Leeds we felt it was important to start as we mean to go on. In order to keep our Google Analytics holding account as secure as we can we decided to use Google two-step verification.
For example in order to login to our Analytics holding account on a new device, a second verification method must be used. We’re currently using the Google Authenticator App as we’re only a small team, but we plan to use physical Security Keys as we grow to keep things secure.
5. Get 3rd party agencies to use a security key
This has only happened to me the once when working in agencies, but I expect it to become more common over the coming years as more companies start to take analytics security more seriously.
I was working with a particular client who wouldn’t grant access to our holding account for security reasons, but instead created an email address at their company with the name of the agency using their Google Apps for Business account. They then physically mailed me a key (above) in order to verify myself with two-step. This is very common working in development environments for large multinationals, and has been for many years, but this was the first time I’ve seen it used in this context.
This method is by far the best way of not only increasing security, but also keeping a record of who has access as it’s clearly identifiable to anyone looking at the account. In this case there were dozens of profiles for different stakeholders, but all the emails in the account followed the same protocol.